==================================================================
BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
BUG: KASAN: use-after-free in unaccount_page_cache_page+0x6d8/0x750 mm/filemap.c:163
Read of size 4 at addr ffff88811260e470 by task syz-executor.1/21553

CPU: 1 PID: 21553 Comm: syz-executor.1 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
 unaccount_page_cache_page+0x6d8/0x750 mm/filemap.c:163
 __delete_from_page_cache+0xc6/0x5b0 mm/filemap.c:231
 __remove_mapping+0x566/0x690 mm/vmscan.c:1197
 shrink_page_list+0x25f1/0x5820 mm/vmscan.c:1789
 shrink_inactive_list mm/vmscan.c:2261 [inline]
 shrink_list mm/vmscan.c:2506 [inline]
 shrink_lruvec+0x17e9/0x4340 mm/vmscan.c:5694
 shrink_node_memcgs mm/vmscan.c:5886 [inline]
 shrink_node+0x1077/0x24e0 mm/vmscan.c:5916
 shrink_zones mm/vmscan.c:6119 [inline]
 do_try_to_free_pages+0x5b6/0x1570 mm/vmscan.c:6177
 try_to_free_mem_cgroup_pages+0x36c/0x850 mm/vmscan.c:6491
 memory_max_write+0x265/0x470 mm/memcontrol.c:6431
 cgroup_file_write+0x290/0x590 kernel/cgroup/cgroup.c:3943
 kernfs_fop_write_iter+0x2c4/0x410 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2159 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0xd8a/0x1160 fs/read_write.c:594
 ksys_write+0x199/0x2c0 fs/read_write.c:647
 __do_sys_write fs/read_write.c:659 [inline]
 __se_sys_write fs/read_write.c:656 [inline]
 __x64_sys_write+0x7b/0x90 fs/read_write.c:656
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f2f1dec3169
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2f1cc36168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f2f1dfe2f80 RCX: 00007f2f1dec3169
RDX: 0000000000000012 RSI: 0000000020000080 RDI: 0000000000000007
RBP: 00007f2f1df1eca1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff7480400f R14: 00007f2f1cc36300 R15: 0000000000022000
 </TASK>

The buggy address belongs to the page:
page:ffffea0004498380 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11260e
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152dc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 18937, ts 1157630969787, free_ts 1158460443643
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2502
 prep_new_page mm/page_alloc.c:2508 [inline]
 get_page_from_freelist+0x2c14/0x2cf0 mm/page_alloc.c:4291
 __alloc_pages+0x386/0x7b0 mm/page_alloc.c:5569
 __alloc_pages_node include/linux/gfp.h:591 [inline]
 alloc_pages_node include/linux/gfp.h:605 [inline]
 alloc_pages include/linux/gfp.h:618 [inline]
 __get_free_pages+0xe/0x30 mm/page_alloc.c:5606
 alloc_one_pg_vec_page net/packet/af_packet.c:4285 [inline]
 alloc_pg_vec net/packet/af_packet.c:4315 [inline]
 packet_set_ring+0x74d/0x2590 net/packet/af_packet.c:4400
 packet_setsockopt+0x1029/0x1f90 net/packet/af_packet.c:3777
 __sys_setsockopt+0x4dc/0x840 net/socket.c:2179
 __do_sys_setsockopt net/socket.c:2190 [inline]
 __se_sys_setsockopt net/socket.c:2187 [inline]
 __x64_sys_setsockopt+0xbf/0xd0 net/socket.c:2187
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1370 [inline]
 free_pcp_prepare mm/page_alloc.c:1442 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3441
 free_unref_page+0xac/0x2c0 mm/page_alloc.c:3521
 free_the_page mm/page_alloc.c:711 [inline]
 __free_pages+0x61/0xf0 mm/page_alloc.c:5645
 free_pages+0x7c/0x90 mm/page_alloc.c:5656
 free_pg_vec net/packet/af_packet.c:4271 [inline]
 packet_set_ring+0x19cf/0x2590 net/packet/af_packet.c:4490
 packet_release+0x76e/0xcb0 net/packet/af_packet.c:3110
 __sock_release net/socket.c:649 [inline]
 sock_close+0xdf/0x270 net/socket.c:1317
 __fput+0x3fe/0x910 fs/file_table.c:280
 ____fput+0x15/0x20 fs/file_table.c:308
 task_work_run+0x129/0x190 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop+0xc4/0xe0 kernel/entry/common.c:175
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
 syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:301
 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff88811260e300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811260e380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88811260e400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                             ^
 ffff88811260e480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811260e500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
syz-executor.1 invoked oom-killer: gfp_mask=0xcc0(GFP_KERNEL), order=0, oom_score_adj=1000
CPU: 1 PID: 21553 Comm: syz-executor.1 Tainted: G    B             5.15.106-syzkaller-00249-g19c0ed55a470 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 dump_stack+0x15/0x17 lib/dump_stack.c:113
 dump_header+0xd8/0x6d0 mm/oom_kill.c:466
 oom_kill_process+0xef/0x2d0 mm/oom_kill.c:1027
 out_of_memory+0x6c2/0xab0 mm/oom_kill.c:1170
 mem_cgroup_out_of_memory+0x25d/0x3b0 mm/memcontrol.c:1677
 memory_max_write+0x356/0x470 mm/memcontrol.c:6438
 cgroup_file_write+0x290/0x590 kernel/cgroup/cgroup.c:3943
 kernfs_fop_write_iter+0x2c4/0x410 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2159 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0xd8a/0x1160 fs/read_write.c:594
 ksys_write+0x199/0x2c0 fs/read_write.c:647
 __do_sys_write fs/read_write.c:659 [inline]
 __se_sys_write fs/read_write.c:656 [inline]
 __x64_sys_write+0x7b/0x90 fs/read_write.c:656
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f2f1dec3169
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2f1cc36168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f2f1dfe2f80 RCX: 00007f2f1dec3169
RDX: 0000000000000012 RSI: 0000000020000080 RDI: 0000000000000007
RBP: 00007f2f1df1eca1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff7480400f R14: 00007f2f1cc36300 R15: 0000000000022000
 </TASK>
memory: usage 16660kB, limit 0kB, failcnt 0
swap: usage 0kB, limit 9007199254740988kB, failcnt 0
Memory cgroup stats for /syz1:
anon 6524928
file 10481664
kernel_stack 0
pagetables 0
percpu 0
sock 0
shmem 10465280
file_mapped 290816
file_dirty 8192
file_writeback 0
swapcached 0
anon_thp 0
file_thp 0
shmem_thp 0
inactive_anon 6524928
active_anon 10465280
inactive_file 36864
active_file 32768
unevictable 0
slab_reclaimable 0
slab_unreclaimable 0
slab 0
workingset_refault_anon 0
workingset_refault_file 0
workingset_activate_anon 0
oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=syz1,mems_allowed=0,oom_memcg=/syz1,task_memcg=/syz1,task=syz-executor.1,pid=15747,uid=0
Memory cgroup out of memory: Killed process 15747 (syz-executor.1) total-vm:54672kB, anon-rss:2116kB, file-rss:14336kB, shmem-rss:0kB, UID:0 pgtables:88kB oom_score_adj:1000